Belgium Fines Yahoo For Protecting User Privacy On Its US Servers

from the this-is-bad... dept

For many years, we've discussed the many challenges faced by countries in trying to recognize that "jurisdiction" on the internet isn't what they probably think it is. Many countries want to interpret internet jurisdiction as "if it's accessible here via the internet, it's covered by our laws." But it doesn't take much scenario planning to recognizing what a disaster would result from such an interpretation. Effectively that means that the most restrictive legislation anywhere in the world (think: China, Iran, Saudi Arabia, etc.) would apply everywhere else.

That's why it's quite worrisome to find out that Belgium is trying to fine Yahoo for protecting its users' privacy and refusing to hand over user data to Belgian officials. Yahoo noted, accurately, that it does not have any operation in Belgium, and the data in question was held on US servers, not subject to Belgian law. On top of that, the US and Belgium have a good diplomatic relationship, such that such a data request could have gone through established diplomatic channels to make sure that US laws were properly obeyed as well. But, instead, Belgian officials just demanded the info from Yahoo's US headquarters directly, and then took the company to criminal court where the judge issued the fine. The Center for Democracy & Technology highlights the problems of not pushing back against this ruling:

The implications of this ruling are profound and far-reaching. Following the court's logic would subject user data associated with any service generally available online to the jurisdiction of all countries. It would also subject all companies that offer services generally available on the global Internet to the laws of all jurisdictions, potentially exposing individual employees to a variety of criminal sanctions.

The U.S. government should be paying close attention here: To understand how problematic this ruling is, we need only imagine how the governments of China, Iran, Vietnam or other repressive regime of your choice may decide that the precedent set here is one well worth following. Such actions undermine Belgium's moral authority since, after all, it would only be hypocritical for Western democracies to criticize such radically overbroad assertions of jurisdiction by other nations.

CDT suggests the US government should get involved and protest the Belgian court ruling:

In the present case, Yahoo! has done right by its users. The company asked law enforcement officials to follow established diplomatic and legal processes in order to gain access to user information. It also enlisted the support of its home government to facilitate the process. In return, Belgian authorities have flouted an existing MLAT agreement, slapped Yahoo! with a fine, and set a dangerous precedent that potentially imperils the privacy of all Internet users and invites abuse by bad actors.

If Yahoo! says "No, screw you. We won't give you the data and won't pay your fine." what will the Belgium officials do? Write Yahoo! a very angry letter explaining how angry they are?
Where Yahoo! hasn't got a presence there, I would of given them the finger too. Heck, I think Yahoo! has gone above and beyond already by noting the US government that such a request by the Belgiums might be underway.

I guess that means that any internet company in Belgium has to follow all the US's laws as well, right? Does that mean that Belgium internet companies will have to get the proper permits and such from the US government? I'm sure the IRS will want their cut as well...

The current state of affairs...

With countries trying to enforce their laws on foreign internet companies, it is a wonder anyone would want to start a new website. If Belgium doesn't like Yahoo, then why don't they just put in a national filter? Or would that not be popular with the Belgians and cause a backlash? I hope Yahoo gives them the proverbial finger.

Unenforceable

> Yahoo noted, accurately, that it does not have any operation in Belgium

If that's the case, then they should just ignore the fine. If the company has no presence in Belgium, there's nothing the country can do to collect the fine. What are they gonna do? Come over here and arrest the CEO? Try that and the Belgian officials would be arrested themselves for kidnapping.

I know if I was a US citizen just going about my business in the US and I got a notice of fine from Belgium for something I said on the internet that violates Belgian law, I'd crumple it up and toss it. It's completely unenforceable.

Re: Unenforceable

"I know if I was a US citizen just going about my business in the US and I got a notice of fine from Belgium for something I said on the internet that violates Belgian law, I'd crumple it up and toss it. It's completely unenforceable."

Are you crazy? Be careful what you do with that notice! The Belgiums are everywhere!

Re:

"The fine was issued because they were tracking a group of criminals that used yahoo e-mails to communicate, and yahoo refused to hand over the identities [because the idiotic Belgium authorities couldn't be bothered to go through the proper channels]"

Re: Re:

Typical bureaucratic nonsense. The Department of Public Whohaws and Geegaws receives an officially stamped Letter of Objection from the Representative of Nonsense and Jokes that "...something must be done about this outrage." and so shoots off a Punitive Action Item to several Committees About Nothing which spurs into action a number of Canonical Discussions of Writ in which... well, you get the gist. We all have this kind of crap, but Europe really values them and takes political process really seriously.

Re: The current state of affairs...

Its really not a problem; if Yahoo is smart (and we've seen that they aren't particularly bright over there in some respects) they will simply ignore Belgium. The WORST thing they could do is send some one over there to parley with with the Belgium Parliament and "...try to work something out."

If they wanted the information

All they had to do was hire a US attorney to go to court and request a subpoena for the information. Or, you know, have their diplomat request help from the US Attorney's office for the same. I'm sure Yahoo would have been glad to hand it over in that case.

For many years, we've discussed the many challenges faced by countries in trying to recognize that "jurisdiction" on the internet isn't what they probably think it is. Many countries want to interpret internet jurisdiction as "if it's accessible here via the internet, it's covered by our laws."

So, in this instance a US company with no links to Belgium and US data should be under US laws. The law in Belgium shouldn't be applied to Yahoo just because someone in Belgium accessed a yahoo site. Agree with that.

But then how about the NPG case - a UK entity with (as far as I know) no outlet in the US, and UK data ... but somehow people are arguing that just because the pictures on their website are available in the US they come under US copyright laws?

Sounds to me like it's not just countries coming up with odd conclusions on jurisdiction?

Intresting

While this cover international aspects of internet law, This has potential ramifications in interstate internet law. Specifically tax collection. If there is no physical presence in the users state should sales tax be collected for that state? The item was purchased from the servers in state "X" so it seems that sales tax could be collected for all sales in state "X" but not for sales in state "Y" ..... hmmmm

EU ramifications?

OK, I'm making a small jump here by assuming that Belgium is part of the EU, but let's assume that they are. In that case, can Belgium require other EU nations where Yahoo actually does have a presence to enforce judgements from Belgium? If they can, then this will be an issue for Yahoo and they probably will have to deal with it sooner or later.

Re:

Your analogy, while interesting, is severely broken.

The "US data" of Yahoo in question was not published on a website and distributed internationally. And Yahoo wasn't refusing to give it to the Belgian authorities because they were claiming copyright on said data.

Difference in jurisdiction

Every communication system in a local country is being watched by local authorities. The bigger countries also have a spy system to watch communications outside their borders. US has, Belgium has not such a system.

In case of criminal investigation, local police can ask for information cross border. In Europe, there is special legislation to pass information cross-border.
There is no such system in between Belgium and the US for criminal action. Everything has to go over interpol or by means of political pressure, embassies or direct contacts in between police systems.

This can upset local police and tresspass the borders of what they are authorized to do. In Belgium there are laws that authorize jurisdiction to tresspass all borders as soon as a person with links to Belgium is involved.

I guess both issues have been mixed here and this should really be left to lawyers.

And yes, Belgium can ask retaliation all over Europe against Yahoo, but they will have to convice the Polish and UK to do so as well.
And yes, Belgian companies are attacked all the time this way by US juridical systems. And yes the US has more local laws allowing to protect interests of US individuals and companies around the world.

In globo, if yahoo can be forced to hand over data about individuals to US juridical system, it should also be possible for other countries that are part of the WTO to ask the same. And this in all countries and in all directions.

Re:

The two cases aren't even remotely similar. In the NPG case, they willfully allowed the pictures to be transferred to the United States. Once that has happened, the pictures fall under United States copyright law, that is correct. To think otherwise would be foolish. Do you know where the servers you access are located? Are you familiar with every countries laws? How do you know that you haven't violated a law in boogywoogievillestein when you viewed that ad that was on that page you saw last week?

Re: Unenforceable

First it's a rather stupid idea, but it's rather common. E.g. all countries, including the US to work with this legal setup.

Second the US has clearly shown how to enforce stuff like that. E.g. arrest the officers of the company when they enter the US. In this case Yahoo officers and/or employees might get arrested when entering the Union.

Third, the US is also one of the countries that consider it okay to kidnap somebody abroad to try him at home.
(http://www.questia.com/googleScholar.qst;jsessionid=KhRWVzZ8d4yPFH1nSBNBGB1Z1xsygKbHMCj2YTpw TJxFNWd3bTV5!342583392!-481857147?docId=5000479708)
)

Basically, this happens all the time, in the real economy (not just the Internet), and it's usually the USA that forces it's laws on the rest of the world. Though luck when it happens the other way.

(Examples the Cuba embargo has caused an Austrian bank that got acquired by an US fond to cancel accounts by Cubans. Which is punishable in the EU and in Austria. Hence the fund had to get an exception, or the bank would be continually fined. Or the UBS handling. Guess not many people in the US realize that handing over customer data like that has been a felony in Switzerland. Or how the US has forced SWIFT to hand over data clandestinely. And so on.)

Re: Unenforceable

Personal Indentifying Information

All of the security systems are moving toward a system of Personal Indentifying Information (PII). If it was the United States (not Belgium) and the Chinese government attacked your computers en masse, would you trust Yahoo! to keep their information private from the US Government so that no-one knows who they are? Don't confuse the Government mandate to keep information private from keeping a way to catch criminals. Belgium is doing nothing more than protecting it's citizens from unknown criminal gangs of hackers.

ATIIL

Re: Personal Indentifying Information

"Don't confuse the Government mandate to keep information private from keeping a way to catch criminals. Belgium is doing nothing more than protecting it's citizens from unknown criminal gangs of hackers."

Privacy is privacy. If you don't protect the privacy of 'alleged' criminals before they've even been brought to trial, then you're simply not protecting privacy at all. You can't pick and choose.

If Belgium wants to protect its citizens, then it should work within the law: contact the US Government and obtain a subpoena for the information from Yahoo. If it ignores the proper channels, Yahoo has no recourse but to protect the rights of its users under US law, which states that it can't just randomly give out information just because someone asked for it. Not even the US Government gets that. It has to ask for it in a proper and legal way.

Alot of genius has come out of Belgium. I'm surprised the Belgian government didn't take the more diplomatic approach. They may have actually got what they wanted. Instead they were fast with their gun, made themselves look foolish and received nothing they actually wanted. Not very constructive.